How to get a grip on cyber security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cipd.co.uk/pm/peoplemanagement/b/weblog/archive/2015/11/23/how-to-get-a-grip-on-cyber-security.aspx


Cyber security is increasingly in the news, whether it’s a teenage boy
hacking into Talk Talk or the chancellor’s recent announcement that the
government will invest £1.9bn to beef up its virtual defences.

All information, including employees’ records, is of value to the cyber
crook. And when an attack happens the risks range from loss of revenue to
fraud, reputational damage and even a fine from the regulator if you don’t
take proper care of your data. Retail giant Morrisons is currently facing a
legal claim brought by a group of 2,000 employees whose bank and salary
details were leaked by a disgruntled colleague.

Data held by many organisations is just not as secure as you might expect.
“We’re vulnerable because we have not developed the securities that we
should have done in the way we have with aeroplanes and cars,” says Martin
Smith, chairman and founder of The Security Company and The Security
Awareness Special Interest Group. “With computers we are now at the stage
where we do need to be more secure. The problem is where do you start?”

Get the basics in place
“Many employers still haven’t figured out what they should be doing,” says
Smith. But first you need to understand that there is a threat and then
think about what impact any security breach could have on your business.

He says ensure you’ve got the basic defences in place: firewalls,
encryption and passwords. And make sure that they’re turned on. “It’s
unbelievable, but people have firewalls and don’t turn them on. When an
organisation forgets to turn on their firewall or encryption, it’s like
someone saying they’re looking after their health because they’ve bought a
subscription to the gym. It only works if you use it.”

Tell your employees what you’d like them to do
Most cyber attacks are not sophisticated, says Smith. “Every single attack
starts with somebody opening a door by clicking on an attachment or giving
away information. So educate your workforce on what it is you want them to
do.”

For example, tell staff they shouldn’t click on a link or attachment in an
email if they are not 100 per cent certain that the source is trustworthy.
It’s also important to discourage your staff from using passwords that are
too simple. “The most popular password is still ‘password’,” says Smith.
“Another common one is ‘123456’. I’m keen that it should be something
memorable; just don’t share that information online. You can even write it
down as long as it is somewhere safe. It’s about being pragmatic and
practical.”

Hire honest people and keep them honest
HR has a big role to play in ensuring the ongoing security of an
organisation’s data. “You need to make sure you hire honest people and that
they stay honest,” Smith says. “That sounds very glib but it’s very
important to make sure that when you recruit someone you check references
and qualifications.”

Smith says it is also about ensuring line managers keep an eye on people
and look out to see if they’re careless, under stress or vulnerable. “This
used to happen, but in the digital age because we work virtually or at home
it’s more difficult to keep track of people than it used to be. People have
their own computers and their own email addresses. Some employees have no
human contact with line managers. This means it is even more important that
you do keep track of people,” he says.

“HR can also make sure people are properly trained and capable of using
systems that are safe and secure.”

Make security everyone’s responsibility
Generally digital and online security falls under the auspices of IT. But
Smith says your entire workforce can be your security team if you ask them
to take care of data and watch out for suspicious behaviour. “Tell your
workforce that they shouldn’t be sharing their passwords and that they need
to change them if they think they’ve been compromised. And don’t leave
systems logged on when unattended.

“The biggest vulnerability of all is that most people are entirely
trusting. We’re not trying to make everybody paranoid but that’s how
criminals get in.” he says. “Almost all people are inherently honest and
they will behave properly if told what it is you want them to do, so they
understand.”

Exercise caution with BYOD access
People like to bring their own devices (BYOD), like mobile phones and
tablets, into work, says Smith. But he cautions: “When you break down the
barrier between your work and your personal life then you’re exposing
yourself to huge risk. A crook could come in through your private profile
and gain access to work information.”

Smartphones can represent a huge data risk, he says, because they are
powerful and have lots of data and access. They should be just as secure as
other devices.

“HR people need to be aware that the biggest danger to their organisation
is not the inside crook, it’s the insider who is just unaware of the ways
in which the crooks come in through them. The key to secure data is getting
your staff to behave sensibly, to use the technology properly and to be
aware of dangers.”


Smith says: “If you follow half a dozen of these basic tips the majority of
your vulnerabilities will disappear overnight.

“Most attacks are not sophisticated and they never were because they don’t
need to be. The crook doesn’t need to work very hard because most
organisations are leaving their doors and windows wide open when it comes
to cyber security. It’s like leaving a key on a piece of string inside a
letterbox.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!